OS X Yosemite and El Capitan Kerberos
At one point in time, I used MIT Kerberos extensively throughout my workplace environment. LDAP was extended to use GSS-API and was extremely useful until this:
$ kinit [email protected] [email protected]'s Password: kinit: krb5_get_init_creds: Preauth required but no preauth options send by KDC $
The above started happening after I upgraded to OS X Yosemite where Apple basically stopped supporting weak DES and RC4 encryption types on their Kerberos implementation shipped on 10.10 and future OS versions; and rightfully so.
I love this part…
By 2008, commercial hardware costing less than USD 15,000 could break DES keys in less than a day on average. DES is long past its sell-by date.
You can probably do it these days for about $2.60/hour
To get back the functionality on Yosemite without the necessary update on the KDC side (however recommended), follow these steps:
- Install Homebrew
brew install Caskroom/cask/xquartz
brew install homebrew/dupes/heimdal
You should now have your ability to kinit back… for now…
$ /usr/local/Cellar/heimdal/1.6rc2_1/bin/kinit [email protected] [email protected]'s Password: $ klist Credentials cache: API:A5DE7730-A162-40ED-B44A-643C6B962C6F Principal: [email protected] Issued Expires Principal Apr 7 21:01:05 2016 Apr 8 07:01:05 2016 krbtgt/[email protected] $